Plaintiff's law firm issued a press release on October 11, 2018, announcing the lawsuit. According to the press release, Alphabet was incorporated in 2015 and is the parent company of its leading subsidiary Google Inc. (“Google”), among others. Alphabet, through its subsidiary Google, operates a social networking website called “Google+” that allows people to communicate with their family, friends, and coworkers. Google+ users ostensibly have the ability to share and restrict the sharing of personal information according to their preferences by changing privacy settings.
Between 2015 and March 2018, a software glitch in the Google+ website permitted outside developers to access the personal profile data of Google+ members who had not opted to permit their data to be shared publicly. Defendants discovered this glitch in March 2018, ran tests to determine the impact of the glitch, and determined that the data of nearly half of a million users had been exposed to third parties. Google’s legal and policy staff drafted a memorandum regarding the security failure and shared it with senior executives. The memorandum warned that disclosing the incident would likely trigger “immediate regulatory interest.” Google’s CEO was briefed on the plan not to notify users after an internal committee had reached that decision.
The Complaint alleges that throughout the Class Period, Defendants made materially false and misleading statements regarding the Company’s business, operational and compliance policies. Specifically, Defendants made false and/or misleading statements and/or failed to disclose that: (1) the Company’s security measures had failed recently and massively, as Google had exposed the private data of hundreds of thousands of users of Google+ to third parties; (2) damage to the Company’s reputation and operating results and loss of customers from this failure of the Company’s security measures were imminent and inevitable; (3) the Company’s security protections did not shield personal user data against theft and security breaches; and (4) the Company’s security measures had been breached due to employee error, malfeasance, system errors or vulnerabilities.
On January 25, 2019, the Court issued an Order consolidating cases and appointing Lead Plaintiff and Counsel. Lead Plaintiff filed a consolidated amended Complaint on April 26. Defendants filed a Motion to Dismiss the consolidated amended Complaint on May 31. On February 5, 2020, the Court issued an Order granting Defendants' Motion to Dismiss. Plaintiffs were given leave to amend the Complaint.